An article I read this morning on one of my security web sites reminded me of the need for small business executives to understand that when it comes to cyber security awareness, they are also employees — but with a twist — they hold the keys to the kingdom.
While a higher percentage of CEOs and business owners now recognize the threats small organizations face from hackers than they used to, it is likewise true that cyber criminals have recognized the value of attacking them directly because they have access to the most sensitive information a company handles.
The article I read pointed to a discovery by researchers at the security software developer Trend Micro that found that 45 percent of the phishing attacks they studied directly targeted the CEO’s email address rather than everyone in the organization (anecdotally, I have seen an increase in direct attacks on CEOs, as well).
Also known as “whaling” because the CEO is considered the big fish in a company, that’s almost as many attacks against the CEO as everyone else in those organizations combined. Managing Directors and Chief Financial Officers are also frequently targeted at 9.7% and 4.8%, respectively.
What makes this important is that I encounter executives who at times consider themselves to be almost immune to the attacks their employees face.
From the article, quoting Ryan Flores of Trend Micro, CEOs and other top executives sometimes view email security mechanisms or policies as “an inconvenience to them” and because of that, they behave like they are “an exception to the rule.”
I offer this blog less as an admonishment of SMB executives as a reminder that they, too, are as susceptible to Social Engineering attacks like phishing and whaling emails as their employees. Executives need to be even more vigilant, though, as these attacks increasingly focus on them specifically and the sensitive nature of what they know and have access to.
To create a culture of Cyber Security that starts from the top down in the hierarchy of your organization, contact me personally at firstname.lastname@example.org or 302-537-4198 to discuss a Cyber Security Awareness Training program tailored to you and your employees.